Bug 1009608 - [RFE] Limit east-west traffic of VMs with network filter
Summary: [RFE] Limit east-west traffic of VMs with network filter
Alias: None
Product: Red Hat Enterprise Virtualization Manager
Classification: Red Hat
Component: ovirt-engine
Version: 3.6.9
Hardware: All
OS: Linux
Target Milestone: ovirt-4.3.0
: 4.3.0
Assignee: Ales Musil
QA Contact: Michael Burman
Whiteboard: network
Depends On: 1603115
Blocks: 1610979
TreeView+ depends on / blocked
Reported: 2013-09-18 17:14 UTC by Allie DeVolder
Modified: 2021-09-09 11:32 UTC (History)
25 users (show)

Fixed In Version: ovirt-engine-4.3.0_alpha
Doc Type: Enhancement
Doc Text:
This release allows you to limit east-west traffic of VMs, to enable traffic only between the VM and a gateway. The new filter 'clean-traffic-gateway' has been added to libvirt. With a parameter called GATEWAY_MAC, a user can specify the MAC address of the gateway that is allowed to communicate with the VM and vice versa. Note that users can specify multiple GATEWAY_MACs. There are two possible configurations of VM: 1) A VM with a static IP. This is the recommended setup. It is also recommended to set the parameter CTRL_IP_LEARNING to 'none'. Any other value will result in a leak of initial traffic. This is caused by libvirt's learning mechanism (see https://libvirt.org/formatnwfilter.html#nwfelemsRulesAdvIPAddrDetection and https://bugzilla.redhat.com/show_bug.cgi?id=1647944 for more details). 2) A VM with DHCP. DHCP is working partially. It is not usable in production currently (https://bugzilla.redhat.com/show_bug.cgi?id=1651499). The filter has a general issue with ARP leak (https://bugzilla.redhat.com/show_bug.cgi?id=1651467). Peer VMs are able to see that the VM using this feature exists (in their arp table), but are not able to contact the VM, as the traffic from peers is still blocked by the filter.
Clone Of:
: 1610979 (view as bug list)
Last Closed: 2019-05-08 12:36:47 UTC
oVirt Team: Network
Target Upstream Version:
nyechiel: Triaged+
mburman: testing_plan_complete+

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Knowledge Base (Solution) 640003 0 None None None Never
Red Hat Product Errata RHEA-2019:1085 0 None None None 2019-05-08 12:37:29 UTC
oVirt gerrit 93109 0 'None' MERGED db: Add clean-traffic-gateway into network filters 2021-01-11 08:42:17 UTC

Description Allie DeVolder 2013-09-18 17:14:53 UTC
Description of problem:

Support for private virtual local area networks (PVLAN) allowing to 'sub-partition' a VLAN by restricting switch ports to only communicate with a given 'uplink' - avoiding 'per-to per' communication (extension to the VLAN standard).

Private VLAN works when assigning IP to interface directly on RHEL KVM hypervisor server...but when creating a bridge using same interface and assign network to VM..it does not work.

Comment 18 fnanushr 2018-03-28 22:24:46 UTC

Red Hat Virtualization Manager Administration portal
Navigate to any network N under a datacenter. Open the associated vNIC profile. The 'Network Filter' shows a drop down list of only the built-in network filters.

A way to create a new network filter and associate it with a vNIC profile from the administration portal.

Comment 19 Dan Kenigsberg 2018-04-01 13:20:55 UTC
(In reply to fnanushr from comment #18)
> RFE:
> A way to create a new network filter and associate it with a vNIC profile
> from the administration portal.

bug 1544666 is all about letting Engine select a non-built-in nwfilter, that is already deployed to all hosts. Here you request a way to deploy nwfilter to all hosts, which I believe is better done by Ansible, possibly triggered by ovirt-host-deploy. If you think differently, please file an independent RFE.

Comment 20 Yaniv Lavi 2018-06-10 11:39:10 UTC
We will look to add the network filter into libvirt and gateway option in RHV to enable this use case.

Comment 21 spower 2018-07-03 10:53:26 UTC
We agreed to remove RFEs component from Bugzilla, if you feel the component has been renamed incorrectly please reach out.

Comment 22 Yaniv Lavi 2018-07-19 11:53:43 UTC
Upstream patch is going well and we will ask to add the filter to a coming RHEL release.

Comment 24 Dan Kenigsberg 2018-08-20 06:43:26 UTC
Please add to cluster level 4.2, too.

We can add a release note that only folks with el7.6 can actually opt in and choose this new filter.

Comment 25 Michael Burman 2018-09-05 05:57:18 UTC
Verified on - 4.3.0-0.0.master.20180902070649.gita860c9c.el7
kernel 3.10.0-940.el7.x86_64
Red Hat Enterprise Linux Server release 7.6 Beta (Maipo)
rhel 7.5 guests(VMs)

For test flow see BZ 1610979#26

Comment 27 errata-xmlrpc 2019-05-08 12:36:47 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.